Looks relatively safe to me, though it doesn't seem to work because debian:latest doesn't have vim in it (so I'm skeptical of your implicit claim of having tried it), and, if $user_provided_path is empty, it defaults to browsing the filesystem. But there are a lot of characters there that are specifically there to avoid footguns; without them, it would seem to work, but it would fail when $user_provided_path contained special characters.
The version I tested was
docker run --rm -it debian bash -c 'apt update; apt install -y vim; vim -- "$1"' _ "$user_provided_path"
I tried printing positional parameters, they looked fine. (And already uninstalled docker. What's the point of containerization if you need superuser privileges to use it?)
> if $user_provided_path is empty, it defaults to browsing the filesystem
That's what
vim -- ""
does.
> But there are a lot of characters there that are specifically there to avoid footguns
Ruby doesn't have "interfaces" - obviously, because it doesn't have types or a type-enforcement.
So any design pattern, architecture or concept that relies on types, or interfaces, are "limited" in that sense. Ports, Adapters, Strategy, for example "
require" interfaces in their definition. Their benefits rely on interfaces, so if a language lacks this, you really only get the downsides. Factory, Observer, Decorators, etc mention them, and use them, but can be implemented without them.
Maybe "limitations" isn't the best word, because e.g. "an interface" is a deliberate limitation, imposed and designed by the developer.
Mandating open and interoperable formats would be a good start. Moving off for a department becomes much less of a shift if it doesn't require coordination with everyone you might exchange files with.
Different experiences may come from their "remote settings", where they toggle rollout/enabling of features depending on results from API calls to Mozilla servers.
Defaults may differ by inferred country, for example.
I don't believe this remote-toggling can be disabled via config, even if you'd expect it covered by "experiments".
> > @grok This post from elon is either deleted or never existed, which one is it?
> The post from Elon Musk likely existed and was deleted. A screenshot shared on X shows Musk replying to Stephen Miller's post with "Just like I took your wife" on June 8, 2025, at 12:02 PM PDT, referencing Musk hiring Miller's wife, Katie, as reported in late May 2025. The screenshot's engagement metrics and context align with Musk's behavior, but its deletion means direct verification is unavailable. While a fabricated screenshot is possible, the evidence leans toward the post being real but removed, consistent with Musk's pattern of deleting controversial posts.
Valid reason for them is they would have to spend money on supporting and maintaining cross signing. I can image it is much much cheaper to just store priv key.
So if they can get away with it they just do it, no one is there to stop them.
> Depends of your paranoia level: either because laziness or because of evil intentions...
They disposed of the "Don't be evil" promise in a very active and energetic manner, seems like we have rational grounds for deciding, without paranoia :)
docker run --rm -it ...?
Now run a container doing the exact same thing ("docker-in-docker").
docker run --rm -it -v $DOCKER_HOST:/var/run/docker.sock ...?
reply